Flexible WLAN access point architecture capable of accommodating different user devices

ABSTRACT

The invention provides an apparatus and a method for improving the control of access by a terminal device in a WLAN environment having an access point for determining whether the device utilizes an IEEE 802.1x protocol by the access point communicating to the device, a packet, whereby if the devices utilizes a IEEE 802.1x protocol the device appropriately responds and otherwise the access point determines that the terminal device protocol does not employ a IEEE 802.1x protocol and selects an authentication mechanism compatible with the terminal device. If the device is not an IEEE 802.1x client, an IP packet filtering is configured to redirect a user HTTP request to a local server, and when the HTTP requests are thereby redirected, the HTTP server presents the terminal device with information specifically related to the browser based authentication.

RELATED APPLICATION

This application claims the benefit, under 35 U.S.C. §365 ofInternational Application PCT/US04/07805, filed Mar. 12, 2004, which waspublished in accordance with PCT Article 21(2) on Sep. 30, 2004 inEnglish and which claims the benefit of U.S. provisional patentapplication No. 60/454,558, filed Mar. 14, 2003.

FIELD OF THE INVENTION

The invention provides an apparatus and a method controlling access by auser terminal to a communications network, and in particular, anapparatus and a method for controlling access by a mobile terminal to aWLAN by accommodating for each mobile terminal its particularcapabilities and selecting accordingly, the optimum availableauthentication mechanism.

DESCRIPTION OF RELATED ART

The context of the present invention is the family of wireless localarea networks or (WLAN) employing the IEEE 802.1x architecture having anaccess point that provides access for mobile devices and to othernetworks, such as hard d wired local area and global networks, such asthe Internet. Advancements in WLAN technology have resulted in thepublicly accessible at rest stops, cafes, libraries and similar publicfacilities (“hot spots”). Presently, public WLANs offer mobilecommunication device users access to a private data network, such as acorporate intranet, or a public data network such as the Internet,peer-to-peer communication and live wireless TV broadcasting. Therelatively low cost to implement and operate a public WLAN, as well asthe available high bandwidth (usually in excess of 10 Megabits/second)makes the public WLAN an ideal access mechanism through which mobilewireless communications device users can exchange packets with anexternal entity, however as will be discussed below, such opendeployment may compromise security unless adequate means foridentification and authentication exists.

When a user operating a terminal incorporating the IEEE 802.1x protocol(“client terminal” or simply “IEEE 802.1x client”) attempts to access apublic WLAN at a hot spot, the IEEE 802.1x client terminal would beginthe authentication process according to its current machineconfiguration. After authentication, the public WLAN opens a secure datachannel to the mobile communications device to protect the privacy ofdata passing between the WLAN and the device. Presently, manymanufacturers of WLAN equipment have adopted the IEEE 802.1x protocolfor deployed equipment. However, other devices utilizing WLAN may useother protocols such as may be provided by wired electronic privacy(WEP). Notably, the predominant authentication mechanism for WLANutilizes the IEEE 802.1x protocol. Unfortunately, the IEEE 802.1xprotocol was designed with private LAN access as its usage model. Hence,the IEEE 802.1x protocol does not provide certain convenient featuresnecessary in a public WLAN environment. A further problem with thecurrent predominant standard is that it requires IEEE 802.1x protocolclient software installation and configuration. In addition, the IEEE802.1x protocol does not have a sophisticated mechanism for interactingwith the user. The access point can only send simple messages to theclient via electronic access point (EAP) notification. This may besufficient for an enterprise setting, but in a hot spot the access pointmight require that the user accept an end user license before permittingaccess. In some instances, the access point needs to inform the userabout service charges. One solution would be to provide the access pointthe capability to interact with the users via the web browser interface.

Most existing WLAN hot spot wireless providers use a web browser basedsolution for user authentication and access control offering convenienceto the user that does not require any software download on the userdevice. As illustrated in FIG. 1, the relationships among primaryentities typically involved in an authentication in a public WLANenvironment are a mobile terminal (MT), a WLAN access point (AP), alocal server and an authentication server (AS). In the web basedsolution, the user is securely authenticated through HTTPS by the AS,which in turn notifies the AP to grant access to the MT. The WLANoperator may own such an authorization server or any third partyproviders, such as Independent Service Providers (ISPs), pre-paid cardproviders or cellular operators, referred to more broadly as virtualoperators. A public WLAN hot spot, therefore, should accommodate suchdifferent client and operator capabilities, based on which, the WLANshould have the ability to select different authentication mechanisms.The prior art has not sufficiently addressed means that would providesuch capabilities, however, the invention described herein, provides anovel solution.

SUMMARY OF THE INVENTION

What is desired is an apparatus and a method for improving the security,or control of access by a user terminal, to a communications network, inparticular the control of access by a mobile terminal to a wirelesslocal area network.

The invention provides a method for controlling the access by a terminaldevice by determining the type of authentication protocol associatedwith the terminal device and automatically routing the authenticationrequest to the appropriate authentication server. Specifically, theinvention herein provides a method for controlling the access of aterminal device in a WLAN environment by determining whether a terminaldevice utilizes an IEEE 802.1x protocol, comprising the steps of anaccess point communicating to the mobile terminal a request to identify,and if the mobile terminal utilizes an IEEE 802.1x protocolacknowledging the request to identify, otherwise the access pointdetermines that the mobile terminal does not employ a IEEE 802.1xprotocol and therefore selects an authentication mechanism compatiblewith the mobile terminal.

If the terminal device is not IEEE 802.1x compliant the access pointinitiates a state in the access point that indicates the terminal is anon-IEEE 802.1x protocol and configures an IP packet filter andredirects a user HTTP request to a local server. The process of thepresent invention may also communicate from the local server to theterminal device information specifically related to a browser-basedauthentication. If the device utilizes the IEEE 802.1x protocol, theaccess point transitions to a state that indicates that the mobileterminal is IEEE 802.1x compliant and thereafter processes all furthercommunication utilizing the IEEE 802.1x protocol. In the event that theauthentication process fails, then one embodiment of the presentinvention initiates in the access point, a failure condition.

One embodiment of the invention for improving the security of a terminaldevice in a WLAN environment utilizes the access point for determiningwhether the device utilizes an IEEE 802.1x protocol, by having theaccess point communicate to the terminal device a Request-Identity EAPpacket, whereby if the devices utilizes a IEEE 802.1x protocol thedevice responds with a Response-Identity EAP packet and otherwise theaccess point determines that the mobile terminal protocol does notemploy a IEEE 802.1x protocol (e.g. based on timeout) and selects anauthentication mechanism compatible with the mobile terminal.

The invention for improving the security of a terminal device in a WLANenvironment also includes an apparatus comprised of an access point incommunication with a terminal device in a WLAN environment utilizing ameans to determine whether the terminal device utilizes an IEEE 802.1xprotocol and if the terminal does not utilize said protocol then theaccess point employs an authentication means compatible with theterminal device otherwise the access point employs an IEEE 802.1xprotocol. The access point means to determine includes communicating tothe terminal device a Request-Identity EAP packet and if the mobileterminal utilizes the IEEE 802.1x protocol the access receives aResponse-Identity EAP packet. The access point further comprises themeans to configure an IP packet filtering to redirect the device HTTPrequest to a local server if the terminal device does not utilize saidprotocol.

In a further embodiment of the apparatus, the access point includes ameans to communicate IEEE 802.1x protocol exchanges and means toestablish IP packet filtering through an IP filter module and stateinformation for the HTTP server to control the terminal device accessduring and after IEEE 802.1x based authentication process if the accesspoint detects that the terminal device is an IEEE 802.1x client.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is best understood from the following detailed descriptionwhen read in connection with the accompanying drawing. The variousfeatures of the drawings are not specified exhaustively. On thecontrary, the various features may be arbitrarily expanded or reducedfor clarity. Included in the drawing are the following figures:

FIG. 1 is a block diagram of a communications system for practicing themethod of the present invention for improving the security of a terminaldevice in a WLAN environment.

FIG. 2 is a flow diagram of the method of the authentication sequence ofpresent invention.

FIG. 3 is a flow diagram of the method of the present inventionillustrating an authentication failure.

FIG. 4 is a block diagram of an apparatus for implementing the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

In the figures to be discussed the circuits and associated blocks andarrows represent functions of the process according to the presentinvention, which may be implemented as electrical circuits andassociated wires or data busses, that transport electrical signals.Alternatively, one or more associated arrows may represent communication(e.g., data flow) between software routines, particularly when thepresent method or apparatus of the present invention is implemented as adigital process.

In accordance with FIG. 1, one or more mobile terminals represented by140 ₁ through 140 _(n) communicate through an access point (AP) through130 _(n), local computer 120, in association with firewalls 122 and oneor more virtual operators 150 _(1-n), such as authentication server 150_(n). Communication from terminals 140 _(1-n) typically requireaccessing a secured data base or other resources, utilizing the Internet110 and associated communication paths 154 and 152 that require a highdegree of security from unauthorized entities, such as would be hackers.

As further illustrated in FIG. 1, the WLAN architecture encompassesseveral components and services that interact to provide stationmobility transparent to the higher layers of a network stack. The APstations such as access points 130 _(1-n) and mobile terminals 140_(1-n) as the components connect to the wireless medium and typicallycontain the functionality of the IEEE 802.1x protocols, that being MAC(Medium Access Control) 134 _(1-n), and corresponding PHY (PhysicalLayer) (unshown), and a connection 127 to the wireless media.Communication functions and protocols are implemented in the hardwareand software of a wireless modem or a network access or interface card.This invention proposes a method for implementing a means in thecommunication stream such that an access point 130 _(n) improves thesecurity of a terminal device in a WLAN environment 115 whether thedevice utilizes an IEEE 802.1x protocol or not and remain within thecompatibility requirements of a IEEE 802.1x WLAN MAC layers for downlinktraffic (e.g. from the an authentication server 150 to the mobileterminal 140 _(n) such as a laptop) as each may participate in theauthentication of one or more wireless mobile devices 140 _(1-n), alocal server 120 and a virtual operator such as the authenticationserver 150.

In accordance with the present principles of the invention, an access160 enables each mobile terminals 140 _(1-n), to securely access a WLAN115 by authenticating the mobile terminal 140 _(1-n) as well as itscommunication stream in accordance with the IEEE 802.1x protocol orother optional protocol as the specific terminal 140 _(1-n) may choose.The manner in which the access 160 enables such secure access can bestbe understood by reference to FIG. 2, which depicts the sequence ofinteractions that occurs among a mobile wireless communication device,say mobile terminal 140 _(n), the public WLAN 115, Authentication server150 _(n). When configured with the IEEE 802.1x protocols, the accesspoint 130 _(n) of FIG. 1 maintains a controlled port and anun-controlled port, through which the access point exchangesinformation, with the mobile terminals 140 _(n). The controlled portmaintained by the access point 130 _(n) serves as the entryway fornon-authentication information, such as data traffic, to pass throughthe access point between the WLAN 115 and the mobile terminals 140 _(n).Ordinarily, the access point 130 _(-n) keeps the respective controlledport closed in accordance with the IEEE 802.1x protocol untilauthentication of the mobile wireless communications device. The accesspoints 130 _(n) always maintains the respective uncontrolled port opento permit the mobile terminals 140 _(n) to exchange authentication datawith the local survey or virtual server 150 _(n).

With reference to FIG. 2, a further embodiment of the present inventionis the utilization of the access point 130 _(n) to create severaloperational states. Following an EAP Response-Identity packet 220 astate 1x_progress 340 indicates that the mobile terminal 140 _(n) is anIEEE 802.1x client and the 802.1x authentication process is ongoing.Such means to select from one or more available security protocols iswell known by those skilled in the art of programming and engineering ina WLAN environment. The 802.1x engine 325 is therefore responsible forclient detection and providing the client capability information toother modules of the system. In addition it also implements RADIUSclient functionality to convert EAP messages to RADIUS messages,forwarding such messages in the form of an radius access request 230 andresponding to radius access reject messages 240. The packet filtermodule 330 is responsible for filtering packets based on the criteriaset by other modules. The method utilized by the access point todetermines that the terminal is not IEEE 802.1x protocol compliant isbased upon timing out a pre-established timer, before it receives theEAP request identity response packet.

More particularly, FIG. 3 illustrates an embodiment of the method of thepresent invention wherein the access point 130 _(n) detects that themobile terminal 140 _(n) is not an authenticated IEEE 802.1x client, andredirects client 335 to thereby configure through an IP packet filtermodule 330 a redirect to the HTTP server 120 via a web request redirect345. Alternatively, mobile terminal 140 _(n) may send a direct webaccess request 355, which is redirected by the packet filter module 330to the HTTP server 120. The HTTP server 120 responds with information350 specifically related to the browser based authentication.

In the case where the access point 130 _(n) detects that the terminaldevice is an IEEE 802.1x client, it permits normal IEEE 802.1x protocolcommunication exchanges to proceed through the access point 130 _(n) andsets up appropriate IP packet filtering through IP filter module 330 andstate information for the HTTP server 120 to control the mobile terminal140 _(n) user access during and after IEEE 802.1x based authenticationprocess.

As indicated above, the WLAN 115 system must maintain proper stateinformation for the system to function properly. Such state informationwill be provided by the access point 130 _(n) 802.1x engine, which isused by, among other things, the packet filtering function 330 and theHTTP server 120. With reference to FIG. 3, a further embodiment of thepresent invention is the utilization of the access point 130 _(n) 802.1xengine to create several operational states. Following aResponse-Identity EAP packet 220 a state 1x_progress 340 indicates thatthe mobile terminal 140 _(n) is an IEEE 802.1x client and the 802.1xauthentication process is ongoing. Following a Response-Identity EAPpacket 220 a state 1x_failure 350 would indicate that the 802.1xauthentication process failed for one of more reasons, not pertinent tothe invention herein. Following a Response-Identity EAP packet 220 astate non_(—)1x 360 would indicate that the mobile terminal 140 _(n) isa non-IEEE 802.1x client. Because for such a client, all access controlsare done at the higher layers, no further classification of state isnecessary.

The access point includes an 802.1x engine 325, which is a module thatimplements the IEEE 802.1x protocol with the determining means necessaryto carry out the steps of the invention. Such means to select from oneor more available security protocols is well known by those skilled inthe art of programming and engineering in a WLAN environment. The 802.1xengine 325 is therefore responsible for client detection and providingthe client capability information to other modules of the system. Inaddition it also implements RADIUS client functionality to convert EAPmessages to RADIUS messages. The packet filter module 330 is responsiblefor filtering packets based on the criteria set by other modules.

Referring to FIG. 4 is an apparatus of the present the invention forimproving the security of the terminal device 140 _(n) in the WLAN 115environment. The access point 130 _(n) maintains communication with theterminal device 140 _(n) terminal device and utilizes a means 415 todetermine whether the terminal device 140 _(n) utilizes an IEEE 802.1xprotocol and if the terminal 140 _(n) does not utilize said protocolthen the access point 130 _(n) employs an authentication means 420compatible with the terminal device 140 _(n) otherwise the access pointemploys an IEEE 802.1x protocol utilizing means 425. The access point130 _(n) means to determine includes communicating to the terminaldevice 140 _(n) a Request-Identity EAP packet and if the mobile terminal140 _(n) utilizes the IEEE 802.1x protocol the access point 130 _(n)receives a Response-Identity EAP packet. The access point 130 _(n)further comprises the means 430 to configure an IP packet filtering toredirect through means 435 the device HTTP request to a local server ifthe terminal device 140 _(n) does not utilize the protocol. In the eventthe IEEE 802.1x protocol is utilized then the means 425 utilizes means440 to insure that the communication is not redirected.

In a further embodiment of the apparatus, the access point includes ameans to communicate IEEE 802.1x protocol exchanges and means toestablish IP packet filtering through an IP filter module and stateinformation for the HTTP server to control the terminal device accessduring and after IEEE 802.1x based authentication process if the accesspoint detects that the terminal device is an IEEE 802.1x client.

It is to be understood that the form of this invention as shown ismerely a preferred embodiment. Various changes may be made in thefunction and arrangement of parts; equivalent means may be substitutedfor those illustrated and described; and certain features may be usedindependently from others without departing from the spirit and scope ofthe invention as defined in the following claims.

1. A method for controlling user terminal access to a wireless localarea network, comprising the steps of: receiving from a user terminal arequest to access the wireless local area network; transmitting to theuser terminal an identity request message; receiving from the userterminal a response to the identity request message; determining whetherthe user terminal is IEEE 802.1x compliant in response to the responseto the identity request message; selecting an authenticating mechanismutilizing IEEE 802.1x if said user terminal is IEEE 802.1x compliant;selecting an authentication mechanism, compatible with the userterminal, in response to a determination that the user terminal is notIEEE 802.1x compliant, for allowing user terminal access to the wirelesslocal area network; and if the user terminal is not IEEE 802.1xcompliant, redirecting an authentication request to an HTTP server forutilizing a browser based authentication protocol.
 2. The methodaccording to claim 1, further comprising the steps of, if the userterminal is IEEE 802.1x compliant, transmitting an authenticationrequest to an authentication server and receiving an authenticationresponse utilizing IEEE 802.1x protocol, and controlling user terminalaccess to the wireless local area network in response to theauthentication response.
 3. The method according to claim 1, furthercomprising the step of configuring a packet filtering module to redirectthe authentication request to the HTTP server.
 4. The method accordingto claim 3, further comprising the step of maintaining state informationin the wireless local area network for use by the packet filteringmodule and the HTTP server.
 5. The method according to claim 4, whereinthe state information includes one of a first state indicative ofongoing authentication process, a second state indicative ofauthentication failure, a third state indicative of authenticationsuccess, and a fourth state indicative of a IEEE 802.1x noncompliantuser terminal.
 6. An access point in communication with a user terminalin a wireless local area network, comprising: means to determine if theuser terminal utilizes an IEEE 802.1x protocol; means for employing theIEEE 802.1x. protocol in said access point, if said user terminalutilizes the IEEE 802.1x. protocol; and, means for employing anauthentication means compatible with the user terminal if the userterminal employs a protocol other than the IEEE 802.1x protocol; whereinthe means to determine includes means for communicating to the userterminal a Request-Identity extensible authentication protocol packetand if the user terminal utilizes the IEEE 802.1x protocol the accesspoint receives a Response-Identity extensible authentication protocolpacket.
 7. The access point in claim 6, further comprises means toconfigure an internet protocol packet filtering means to redirect theuser terminal request to a local server if the user terminal does notutilize said IEEE 802.1x protocol.
 8. The access point in claim 6,further comprises means to communicate IEEE 802.1x protocol exchangesand means to establish internet protocol packet filtering through aninternet protocol packet filter means and state information to controlthe user terminal access during and after an IEEE 802.1x basedauthentication process if the access point detects that the userterminal is IEEE 802.1x protocol compliant.
 9. A method for controllingaccess by a user terminal in a wireless local area network bydetermining whether the user terminal utilizes an IEEE 802.1x protocolcomprising the steps of: an access point communicating to the userterminal a request to identify, and if the user terminal utilizes anIEEE 802.1x protocol, acknowledging the request to identify, otherwisethe access point determining that the user terminal is not IEEE 802.1xcompliant and selecting an authentication mechanism compatible with theuser terminal; wherein the access point determines that the userterminal is not IEEE 802.1x compliant when it does not receive anextensible authentication protocol identity response packet after atimeout value.
 10. The method according to claim 9, further comprisingthe step of the access point detecting that if the user terminal is notIEEE 802.1x compliant, then configuring an internet protocol packetfilter and redirecting a user request to a local server.
 11. The methodaccording to claim 9, further comprising the step of the access pointtransitioning to a state corresponding to browser based authenticationprotocol if the user terminal is not IEEE 802.1x compliant.
 12. Themethod according to claim 10, further comprising the step of the localserver communicating to the user terminal information specificallyrelated to a browser based authentication protocol.
 13. The methodaccording to claim 12, further comprising the step of the access pointtransitioning to a state, if the user terminal utilizes the IEEE 802.1xprotocol, that indicates that the user terminal is IEEE 802.1x compliantand thereafter processing all communication utilizing the IEEE 802.1xprotocol.
 14. The method according to claim 12, further comprising thestep of the access point transitioning to a state corresponding tobrowser based authentication protocol if authentication fails.
 15. Amethod for controlling access of a user terminal in a wireless localarea network by determining whether the user terminal utilizes an IEEE802.1x protocol, comprising the steps of: communicating through anaccess point to the user terminal a request to identify, and if the userterminal utilizes an IEEE 802.1x protocol, acknowledging the request toidentify, otherwise determining by the access point that the userterminal is not IEEE 802.1x compliant, selecting an authenticationmechanism compatible with the user terminal, detecting in the accesspoint if the user terminal is not IEEE 802.1x compliant, thenconfiguring an internet protocol packet filter means, and redirecting auser request to a local server.
 16. The method according to claim 15,further comprising the step of determining in the access point that theuser terminal is not IEEE 802.1x compliant if the user terminal does notreceive an extensible authentication protocol identity response packetafter a preset time.
 17. The method according to claim 15, furthercomprising the step of communicating from the local server to the userterminal, information specifically related to a browser basedauthentication protocol.
 18. The method according to claim 15, furthercomprising the step of transitioning to a state, in the access point ifthe user terminal utilizes the IEEE 802.1x protocol, that indicates thatthe user terminal is IEEE 802.1x compliant and thereafter processing allcommunication utilizing the IEEE 802.1x protocol.
 19. The methodaccording to claim 15, further comprising the step of transitioning to astate in the access point corresponding to browser based authenticationprotocol if the user terminal is not IEEE 802.1x compliant.
 20. Themethod according to claim 18, further comprising the step oftransitioning to the state in the access point corresponding to browserbased authentication protocol if authentication fails.